CVE-2016-3096: Improper Link Resolution Before File Access

October 10, 2018 (updated September 17, 2021)

The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on the archived container in the archive_path directory, or the lxc-attach-script.err files in the temporary directory.

References

github.com/advisories/GHSA-rh6x-qvg7-rrmj
nvd.nist.gov/vuln/detail/CVE-2016-3096

Code Behaviors & Features

Detect and mitigate CVE-2016-3096 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →